A full 80% of the active drive-by attacks observed in the past month can be attributed to the Angler exploit kit and its as-a-service rental model.
“Angler relies on a huge and resilient infrastructure to distribute all sorts of malware, and the exploit kit operations have been quite intense for the past months,” said Andra Zaharia, security specialist at Heimdal Security, adding that since the Angler exploit kit surfaced in 2013, it’s evolved into a massive threat for users and companies alike. “But this new upsurge in Angler activity shows that the exploit kit could be getting even stronger.”
She added that Angler’s success in the cyber-criminal community is heavily reinforced by the aggressive tactics that the exploit kit employs. One of these tactics is using a domain generation algorithm to engineer high-volume compromises without being detected by traditional antivirus.
Domain generation algorithm (DGA) is a method for generating a large number of domains by creating slightly different variations of a certain domain name. The generated domains are used to hide traffic transmitted between the infected machines/networks and the command and control servers.
Several Danish companies have felt the brunt of this in the past few days as attackers added a big chunk of new malicious domains to their attack. In this recent campaign, Angler was distributed via malicious web injects in legitimate websites, bent on drive-by infections.
“The most insidious and dangerous thing about drive-by downloads is that they don’t require any user interaction for the infection to take place,” said Zaharia. “So if an employee in a targeted company visits a website infected with the exploit kit, Angler will first go after vulnerabilities in Adobe Flash Player and Silverlight. And neither of these applications lack in security holes.”
If Flash or Silverlight are left out of date, Angler will start feeding the infected PC with ransomware. This time it was Mobef, a new strain of ransomware which is still being analyzed by experts. A similar campaign uses the malicious web-injects to infect Windows-based PCs with a combination of click-fraud malware (Bedep) and a CryptXXX, a brand new ransomware strain.
Heimdal also said that in the past week, the observed Angler campaigns revealed that a large number of DGA domains are hosted in Romania—even though the cyber-criminals behind Angler go for the most lucrative targets, which are often located in Northern or Western Europe, or in the US.
“Even though efforts to disrupt Angler’s infrastructure have been made towards the end of 2015, attackers are not planning to give up on their business, because there’s too much money involved,” Zaharia noted.
In fact, according to Tripwire, organized criminal gangs who have been using Angler are stealing up to $3 million each month through ransomware attacks. And, the barrier to entry is low: exploit kits-as-a-service don’t require much technical expertise to be used, they are cheaper (especially if rented), they’re flexible and can be packed with different types of malware. They also offer broader reach, are usually difficult to detect and can be used to exploit a wide range of vulnerabilities.
“This business model makes it very profitable for exploit kit makers to sell their malicious code and increase their revenues,” Zaharia noted.